Anyone with your nsec has access to the whole account dm and otherwise. You can always say "this account has been compromised" and switch to a new one. Key rotation, switching accounts seamlessly hasn't been solved yet.

Additionally, relays can see all your activity and ip address (geolocation) and have the potential to record it - so pay some mind about that. It's not a `known` issue, but still something to be aware of, and there are ways to mitigate it if you are concerned about that.

Non of this is too far from regular social media, it just gets brought to the light because we're all potential builders and potential adversaries.

By design, an nsec is only ever on the client side. Unless an app is malicious, your nsec only lives in the client. Same thing with phone wallets.

There are some NOSTR signing tools to further insulate you from any single client if that's part of your threat model.